<!DOCTYPE HTML>

<html lang="en">
<head>

<title>DefaultHttpFirewall (spring-security-docs 5.6.3 API)</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="../../../../../stylesheet.css" title="Style">
<link rel="stylesheet" type="text/css" href="../../../../../jquery/jquery-ui.css" title="Style">
<script type="text/javascript" src="../../../../../script.js"></script>
<script type="text/javascript" src="../../../../../jquery/jszip/dist/jszip.min.js"></script>
<script type="text/javascript" src="../../../../../jquery/jszip-utils/dist/jszip-utils.min.js"></script>
<!--[if IE]>
<script type="text/javascript" src="../../../../../jquery/jszip-utils/dist/jszip-utils-ie.min.js"></script>
<![endif]-->
<script type="text/javascript" src="../../../../../jquery/jquery-3.5.1.js"></script>
<script type="text/javascript" src="../../../../../jquery/jquery-ui.js"></script>
</head>
<body>
<script type="text/javascript"><!--
    try {
        if (location.href.indexOf('is-external=true') == -1) {
            parent.document.title="DefaultHttpFirewall (spring-security-docs 5.6.3 API)";
        }
    }
    catch(err) {
    }
//-->
var data = {"i0":10,"i1":10,"i2":10};
var tabs = {65535:["t0","All Methods"],2:["t2","Instance Methods"],8:["t4","Concrete Methods"]};
var altColor = "altColor";
var rowColor = "rowColor";
var tableTab = "tableTab";
var activeTableTab = "activeTableTab";
var pathtoroot = "../../../../../";
var useModuleDirectories = true;
loadScripts(document, 'script');</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
<header role="banner">
<nav role="navigation">
<div class="fixedNav">

<div class="topNav"><a id="navbar.top">

</a>
<div class="skipNav"><a href="DefaultHttpFirewall.html#skip.navbar.top" title="Skip navigation links">Skip navigation links</a></div>
<a id="navbar.top.firstrow">

</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../index.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList" id="allclasses_navbar_top">
<li><a href="../../../../../allclasses.html">All&nbsp;Classes</a></li>
</ul>
<ul class="navListSearch">
<li><label for="search">SEARCH:</label>
<input type="text" id="search" value="search" disabled="disabled">
<input type="reset" id="reset" value="reset" disabled="disabled">
</li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_top");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li>Nested&nbsp;|&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="DefaultHttpFirewall.html#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="DefaultHttpFirewall.html#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="DefaultHttpFirewall.html#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="DefaultHttpFirewall.html#method.detail">Method</a></li>
</ul>
</div>
<a id="skip.navbar.top">

</a></div>

</div>
<div class="navPadding">&nbsp;</div>
<script type="text/javascript"><!--
$('.navPadding').css('padding-top', $('.fixedNav').css("height"));
//-->
</script>
</nav>
</header>

<main role="main">
<div class="header">
<div class="subTitle"><span class="packageLabelInType">Package</span>&nbsp;<a href="package-summary.html">org.springframework.security.web.firewall</a></div>
<h2 title="Class DefaultHttpFirewall" class="title">Class DefaultHttpFirewall</h2>
</div>
<div class="contentContainer">
<ul class="inheritance">
<li>java.lang.Object</li>
<li>
<ul class="inheritance">
<li>org.springframework.security.web.firewall.DefaultHttpFirewall</li>
</ul>
</li>
</ul>
<div class="description">
<ul class="blockList">
<li class="blockList">
<dl>
<dt>All Implemented Interfaces:</dt>
<dd><code><a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall">HttpFirewall</a></code></dd>
</dl>
<hr>
<pre>public class <span class="typeNameLabel">DefaultHttpFirewall</span>
extends java.lang.Object
implements <a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall">HttpFirewall</a></pre>
<div class="block"><p>
User's should consider using <a href="StrictHttpFirewall.html" title="class in org.springframework.security.web.firewall"><code>StrictHttpFirewall</code></a> because rather than trying to
sanitize a malicious URL it rejects the malicious URL providing better security
guarantees.
<p>
Default implementation which wraps requests in order to provide consistent values of
the <code>servletPath</code> and <code>pathInfo</code>, which do not contain path parameters (as
defined in <a href="https://www.ietf.org/rfc/rfc2396.txt">RFC 2396</a>). Different
servlet containers interpret the servlet spec differently as to how path parameters are
treated and it is possible they might be added in order to bypass particular security
constraints. When using this implementation, they will be removed for all requests as
the request passes through the security filter chain. Note that this means that any
segments in the decoded path which contain a semi-colon, will have the part following
the semi-colon removed for request matching. Your application should not contain any
valid paths which contain semi-colons.
<p>
If any un-normalized paths are found (containing directory-traversal character
sequences), the request will be rejected immediately. Most containers normalize the
paths before performing the servlet-mapping, but again this is not guaranteed by the
servlet spec.</div>
<dl>
<dt><span class="seeLabel">See Also:</span></dt>
<dd><a href="StrictHttpFirewall.html" title="class in org.springframework.security.web.firewall"><code>StrictHttpFirewall</code></a></dd>
</dl>
</li>
</ul>
</div>
<div class="summary">
<ul class="blockList">
<li class="blockList">

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="constructor.summary">

</a>
<h3>Constructor Summary</h3>
<table class="memberSummary">
<caption><span>Constructors</span><span class="tabEnd">&nbsp;</span></caption>
<tr>
<th class="colFirst" scope="col">Constructor</th>
<th class="colLast" scope="col">Description</th>
</tr>
<tr class="altColor">
<th class="colConstructorName" scope="row"><code><span class="memberNameLink"><a href="DefaultHttpFirewall.html#%3Cinit%3E()">DefaultHttpFirewall</a></span>()</code></th>
<td class="colLast">&nbsp;</td>
</tr>
</table>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="method.summary">

</a>
<h3>Method Summary</h3>
<table class="memberSummary">
<caption><span id="t0" class="activeTableTab"><span>All Methods</span><span class="tabEnd">&nbsp;</span></span><span id="t2" class="tableTab"><span><a href="javascript:show(2);">Instance Methods</a></span><span class="tabEnd">&nbsp;</span></span><span id="t4" class="tableTab"><span><a href="javascript:show(8);">Concrete Methods</a></span><span class="tabEnd">&nbsp;</span></span></caption>
<tr>
<th class="colFirst" scope="col">Modifier and Type</th>
<th class="colSecond" scope="col">Method</th>
<th class="colLast" scope="col">Description</th>
</tr>
<tr id="i0" class="altColor">
<td class="colFirst"><code><a href="FirewalledRequest.html" title="class in org.springframework.security.web.firewall">FirewalledRequest</a></code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="DefaultHttpFirewall.html#getFirewalledRequest(javax.servlet.http.HttpServletRequest)">getFirewalledRequest</a></span>&#8203;(javax.servlet.http.HttpServletRequest&nbsp;request)</code></th>
<td class="colLast">
<div class="block">Provides the request object which will be passed through the filter chain.</div>
</td>
</tr>
<tr id="i1" class="rowColor">
<td class="colFirst"><code>javax.servlet.http.HttpServletResponse</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="DefaultHttpFirewall.html#getFirewalledResponse(javax.servlet.http.HttpServletResponse)">getFirewalledResponse</a></span>&#8203;(javax.servlet.http.HttpServletResponse&nbsp;response)</code></th>
<td class="colLast">
<div class="block">Provides the response which will be passed through the filter chain.</div>
</td>
</tr>
<tr id="i2" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="DefaultHttpFirewall.html#setAllowUrlEncodedSlash(boolean)">setAllowUrlEncodedSlash</a></span>&#8203;(boolean&nbsp;allowUrlEncodedSlash)</code></th>
<td class="colLast">
<div class="block">
Sets if the application should allow a URL encoded slash character.</div>
</td>
</tr>
</table>
<ul class="blockList">
<li class="blockList"><a id="methods.inherited.from.class.java.lang.Object">

</a>
<h3>Methods inherited from class&nbsp;java.lang.Object</h3>
<code>clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait</code></li>
</ul>
</li>
</ul>
</section>
</li>
</ul>
</div>
<div class="details">
<ul class="blockList">
<li class="blockList">

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="constructor.detail">

</a>
<h3>Constructor Detail</h3>
<a id="&lt;init&gt;()">

</a>
<ul class="blockListLast">
<li class="blockList">
<h4>DefaultHttpFirewall</h4>
<pre>public&nbsp;DefaultHttpFirewall()</pre>
</li>
</ul>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="method.detail">

</a>
<h3>Method Detail</h3>
<a id="getFirewalledRequest(javax.servlet.http.HttpServletRequest)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>getFirewalledRequest</h4>
<pre class="methodSignature">public&nbsp;<a href="FirewalledRequest.html" title="class in org.springframework.security.web.firewall">FirewalledRequest</a>&nbsp;getFirewalledRequest&#8203;(javax.servlet.http.HttpServletRequest&nbsp;request)
                                       throws <a href="RequestRejectedException.html" title="class in org.springframework.security.web.firewall">RequestRejectedException</a></pre>
<div class="block"><span class="descfrmTypeLabel">Description copied from interface:&nbsp;<code><a href="HttpFirewall.html#getFirewalledRequest(javax.servlet.http.HttpServletRequest)">HttpFirewall</a></code></span></div>
<div class="block">Provides the request object which will be passed through the filter chain.</div>
<dl>
<dt><span class="overrideSpecifyLabel">Specified by:</span></dt>
<dd><code><a href="HttpFirewall.html#getFirewalledRequest(javax.servlet.http.HttpServletRequest)">getFirewalledRequest</a></code>&nbsp;in interface&nbsp;<code><a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall">HttpFirewall</a></code></dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code><a href="RequestRejectedException.html" title="class in org.springframework.security.web.firewall">RequestRejectedException</a></code> - if the request should be rejected immediately</dd>
</dl>
</li>
</ul>
<a id="getFirewalledResponse(javax.servlet.http.HttpServletResponse)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>getFirewalledResponse</h4>
<pre class="methodSignature">public&nbsp;javax.servlet.http.HttpServletResponse&nbsp;getFirewalledResponse&#8203;(javax.servlet.http.HttpServletResponse&nbsp;response)</pre>
<div class="block"><span class="descfrmTypeLabel">Description copied from interface:&nbsp;<code><a href="HttpFirewall.html#getFirewalledResponse(javax.servlet.http.HttpServletResponse)">HttpFirewall</a></code></span></div>
<div class="block">Provides the response which will be passed through the filter chain.</div>
<dl>
<dt><span class="overrideSpecifyLabel">Specified by:</span></dt>
<dd><code><a href="HttpFirewall.html#getFirewalledResponse(javax.servlet.http.HttpServletResponse)">getFirewalledResponse</a></code>&nbsp;in interface&nbsp;<code><a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall">HttpFirewall</a></code></dd>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>response</code> - the original response</dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>either the original response or a replacement/wrapper.</dd>
</dl>
</li>
</ul>
<a id="setAllowUrlEncodedSlash(boolean)">

</a>
<ul class="blockListLast">
<li class="blockList">
<h4>setAllowUrlEncodedSlash</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowUrlEncodedSlash&#8203;(boolean&nbsp;allowUrlEncodedSlash)</pre>
<div class="block"><p>
Sets if the application should allow a URL encoded slash character.
</p>
<p>
If true (default is false), a URL encoded slash will be allowed in the URL.
Allowing encoded slashes can cause security vulnerabilities in some situations
depending on how the container constructs the HttpServletRequest.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowUrlEncodedSlash</code> - the new value (default false)</dd>
</dl>
</li>
</ul>
</li>
</ul>
</section>
</li>
</ul>
</div>
</div>
</main>

<footer role="contentinfo">
<nav role="navigation">

<div class="bottomNav"><a id="navbar.bottom">

</a>
<div class="skipNav"><a href="DefaultHttpFirewall.html#skip.navbar.bottom" title="Skip navigation links">Skip navigation links</a></div>
<a id="navbar.bottom.firstrow">

</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../index.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList" id="allclasses_navbar_bottom">
<li><a href="../../../../../allclasses.html">All&nbsp;Classes</a></li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_bottom");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li>Nested&nbsp;|&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="DefaultHttpFirewall.html#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="DefaultHttpFirewall.html#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="DefaultHttpFirewall.html#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="DefaultHttpFirewall.html#method.detail">Method</a></li>
</ul>
</div>
<a id="skip.navbar.bottom">

</a></div>

</nav>
</footer>
<script>if (window.parent == window) {(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create', 'UA-2728886-23', 'auto', {'siteSpeedSampleRate': 100});ga('send', 'pageview');}</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"7040d8e67b5a980c","token":"bffcb8a918ae4755926f76178bfbd26b","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body>
</html>
